Introduction

You should know that the internet is a mean and nasty place. So you should follow the best of the best practices which Amazon gladly share.

Go to the IAM dashboard and secure your account before you start trying out or really using Amazon AWS.

Step 1: Identity and Access Management (IAM) Dashboard

Login to the AWS console and through the Service (top left next to the AWS icon) -> Select IAM -> which should show the Welcome to Identity and Access Management Dashboard.

Here you see four warnings, but in the future, there could be more.

Step 2: Activate MFA

This is probably the most important one to once you use AWS to host something for your business. You may want to buy a hardware-based MFA device.

I recorded a short video showing how you set up.

Step 3: Create an individual IAM user.

There is little point showing any screenshots here, Amazon does a brilliant job with the wizard to take you step by step through creating user accounts.

You’ll create an admin group in the process and at the end have a new user account and a URL you’ll need to keep in a safe place you use to login to the AWS Management Console, e.g. https://1234567890.signin.aws.amazon.com/console

Step 4: Apply an IAM password policy

Here you define what the minimum length of password your users should use, etc.

Title

Introduction

This document lists the steps required to prepare a Linux server to setup your server on Amazon for running one or more WordPress sites. If you decide to have the database on the server, then the architecture is known as "LAMP" which is an acronym for "Linux, Apache, MySQL and PHP".

If you're setting up your first machine, then write down the commands and any connection information into a journal. It will help you remember the steps and internalise anything you learn along the way. You should add knowledge to it as you go along and will see that it will become more valuable than any book you can buy.

Prerequisite

You have created an EC2 instance on Amazon and know how to connect to the machine using Putty or SSH.

You have chosen to run the database on the same server or use Amazons RDS service.

You have a domain name configured for your website on Route 53 or another DNS provider.

Step 1: Ensuring Machine Is Up To Date

When you log in to the machine, you will see information about how many packages and security updates are available. You should never ignore those messages.

sudo apt-get update
sudo apt-get upgrade

First update which refreshes the list of available packages and their versions, but does not install or upgrade any packages. The upgrade command installs newer packages and security updates. Neither of them runs automatically; I recommend a monthly calendar reminder, so you keep your server safe.

If you run the server over a couple of months, then dist-upgrade will bring the operating system up to date and is known to clean up better after itself.

sudo apt-get dist-upgrade

If you are asked a question with a “Y/n” answer, type in “y” and otherwise follow any instruction.

Step 2: Install Apache Web Server

sudo apt-get install apache2

It will start installing. You will be prompted to Press Y and hit Enter to continue, so do that for the installation to advance.

Step 3: Checking the web server is running

Type the IP into your browser and check the web server is running. If you haven't created an A record to point to the IP of the server, then do it now. You should get the default page, if so, then congratulate yourself.

Step 4: Configuring Your Access Rights

We want maximum lockdown later on and for you to be able to work without using the "super user do" command sudo all the time. Ignore this step, and you'll be using sloppy access commands later on like "chmod 777", then you could end up in a situation where you have an unprotected directory, and that's not good.

The Apache server on Ubuntu will be running under www-data here is how you can double check that:

Assuming the user is "www-data" we're now going to add you to the apache user group.

sudo usermod -a -G www-data ubuntu
exit

We need to logout and login again for the change to show. To check the changes are in place you can now run.

groups

You should see the "www-data" group listed.

Step 5: Setup Database On Server (The low budget option)

If you have decided to use Amazon RDS, then you should follow their instructions and have the instance connection information ready.

BUT, if you follow a backup strategy, then I think there is nothing bad about running the database on the server while the site is small.

I suggest you use MariaDB over MySQL. It took me a lot of time to get used to the idea of MariaDB, as I had been using MySQL since I built my first web server 15 years ago. I now realise what MariaDB is and its development is more open and vibrant, don't believe me, then check out the activity on GitHub. Also, it's said to be between 3 and 5% more performant, which is very relevant for web server backends.

The command to install the database and client is.

sudo apt-get install mariadb-server mariadb-client

In the next step, we use the MySQL utility to secure everything.

This hardening we are about to do will require that you come up with a password for the root user.

sudo mysql_secure_installation

I would allow remote login, so you have the opportunity to later connect via MySql Workbench.

Lets login to the database to demonstrate the security.

sudo mysql -u root

Notice it didn't ask for a password. What happend? MariaDB is per default configured to use your operating system credentials through the auth_plugin.

If you want to force the password for root in the terminal, run these commands.

You will need your email address, so they can contact you for urgent renewal and security notices.

You will need to agree to there terms of service (which I would recommend downloading for safekeeping).

Then it will ask which sites you would like to activate HTTPS on.

You also need to choose whether or not to redirect HTTP traffic to HTTPS, removing HTTP access, I would use the redirect because often people forget to type in the S on the end of HTTP

You can see the added configuration files in apache here.

ll /etc/apache2/sites-available/

Use the cat command to review them if you like.

sudo cat /etc/apache2/sites-available/clouded.ch.conf

Lets test if the renew will work.

sudo certbot renew --dry-run

All good? let us hope so.

The certificate needs to be replaced regularly. We can setup automatic renewal using the scheduler. You only need to do this once.

sudo crontab -e

Choose NANO as editor it's the easiest to use, then add the following line and Ctrl+X to both save and exit. This will make the server check for a new SSL certificate every morning at 03:15am and is something you only need to setup once.

15 3 * * * /usr/bin/certbot renew --quiet

Check the settings are stored

sudo crontab -l

Finished! GO CHECK OUT YOUR WEBSITE.

Miscellaneous: Unable To Install Plugins In WordPress

This will be a permissions problem. Run the commands to set up the ownership.